How to know what unsuccessful SSH attempts our server has had

Not long ago I explained how to know which IPs have been connected by SSH, but ... what if the username or password was incorrect and they didn't connect?

In other words, if there is someone trying to guess how to access our computer or server by SSH, we really need to know, or not?

For that we will do the same procedure as in the previous post, we will filter the authentication log but this time, with a different filter:

cat /var/log/auth* | grep Failed

They should run the above command like root, or with sudo to do it with administrative permissions.

I leave a screenshot of how it looks:

As you can see, it shows me the month, day and time of each failed attempt, as well as the user with which they tried to enter and the IP from which they tried to access.

But this can be arranged a bit more, we will use awk to improve the result a bit:

cat /var/log/auth* | grep Failed | awk '{print $2 "-" $1 " " $3 "\t USUARIO: " $9 "\t DESDE: " $11}'

The above is ONE line.

Here we see how it would look:

This line that I just showed you should not be memorized all by heart, you can create a alias for her, the result is the same as with the first line anyway, just a little more organized.

This I know will not be useful to many, but for those of us who manage servers I know that it will show us some interesting data hehe.


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

8 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *



  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   hackloper775 said

    Very good use of pipes


    1.    KZKG ^ Gaara said

      Thank you

  2.   FIXOCONN said

    Excellent the 2 post

  3.   Mystog @ N said

    I always used the first one, because I don't know awk, but I'm going to have to learn it

    cat / var / log / auth * | grep Failed

    Here where I work, at the Faculty of Mathematics-Computing at the Univ de Oriente in Cuba, we have a factory of "little hackers" who are constantly inventing things that they shouldn't and I have to be with 8 eyes. The ssh theme is one of them. Thanks for the tip dude.

  4.   Hugo said

    One doubt: if one has a server facing the internet but in iptables one opens the ssh port only for certain internal MAC addresses (let's say from an office), access attempts from the rest of the internal addresses would reach the authentication log and / or external? Because I have my doubts.

    1.    KZKG ^ Gaara said

      In the log what is saved is only the requests allowed by the firewall, but denied or approved by the system as such (I mean the login).
      If the firewall does not allow SSH requests to pass, nothing will reach the log.

      This I have not tried, but come on ... I think it must be like this 😀

  5.   Bray said

    grep -i failed /var/log/auth.log | awk '{print $ 2 «-» $ 1 »» $ 3 «\ t USER:» $ 9 «\ t FROM:» $ 11}'
    rgrep -i failed / var / log / (logrotates folders) | awk '{print $ 2 «-» $ 1 »» $ 3 «\ t USER:» $ 9 «\ t FROM:» $ 11}'

    1.    Bray said

      in centos-redhat… ..etc ……
      / var / log / secure